b"   D-2007-123                    September 12, 2007\n\n\n\n\nSummary of Information Assurance Weaknesses Found in\n     Audit Reports Issued From August 1, 2006,\n                Through July 31, 2007\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n(703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nFISMA                 Federal Information Security Management Act\nGAO                   Government Accountability Office\nIA                    Information Assurance\nOIG                   Office of Inspector General\nOMB                   Office of Management and Budget\n\x0c                             INSPECTOR GEN ERAL\n                           DEPARTMENT OF DEFENSE\n \n\n                            400 ARMY NAVY DRIVE\n \n\n                       ARLINGTOf\\J, VIRGINIA 22202-4704\n \n\n\n\n\n                                                                     September J 2. 2007\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF THE AIR FORCE\n                 (FINANCIAL MANAGEMENT AND COM PTROLLER)\n               NAVAL INSPECTOR GENERAL\n               AUDITOR GENERAL. DEPARTMENT OF THE ARMY\n\nSUBJECT: Report on Summary of Information Ass urance Weaknesses Found in Audit\n         Reports Issued From August 1. 2006, Through July 31,2007\n         (Rep ort No. 0-2007-1 23)\n\n\n         We are providing this summary report for information and use. We did not issue\na draft report because this report summarizes material that has already been published.\nTh is report cont ains no recommendations: therefore, no written response to this report\nwas requ ired, and none was received.\n\n       We appreci ate the courte sies extended to the staff. Questions should be directed\nto Ms. Kathryn M. Truex at (703) 604-8966 (OSN 664-8966) or Mr. Robert R. Johnson at\n(703) 604-9024 (OSN 664-9024). See Appendix G for the report distribution. The team\nmem bers are listed inside the back cover.\n\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n\n                                         JJ~                    ,\n                                     t\n                                         '~d a A . Scott'\n                                         Assistant Inspector General\n                                         Readiness and Operations Support\n\x0c               Department of Defense Office of Inspector General\nReport No. D-2007-123                                                September 12, 2007\n   (Project No. D2007-D000LB-0115.000)\n\nSummary of Information Assurance Weaknesses Found in Audit Reports\n          Issued From August 1, 2006, Through July 31, 2007\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? Military and civil service personnel who\ndevelop, manage, operate, or oversee DoD information technology resources should read\nthis report to obtain better awareness of identified challenges to information assurance\nand the potential risks those challenges pose in the context of a shared DoD information\ntechnology environment.\n\nBackground. This report summarizes information assurance weaknesses that the\nGovernment Accountability Office, the DoD Office of Inspector General, the Army\nAudit Agency, the Naval Audit Service, and the Air Force Audit Agency reported\nbetween August 1, 2006, and July 31, 2007. It supports the Federal Information Security\nManagement Act of 2002, which requires that agencies submit to the Office of\nManagement and Budget the results of an annual independent evaluation of the\neffectiveness of their information security programs and practices. The evaluation should\ninclude testing of the effectiveness of information security policies, procedures, and\npractices of a subset of the agency\xe2\x80\x99s information systems and may be based, in whole or\nin part, on an audit, evaluation, or report relating to agency programs or practices. This\nreport is the ninth information assurance summary report issued by the DoD Office of the\nInspector General since January 1999.\n\nSummary of Information Assurance Weaknesses. Between August 1, 2006, and\nJuly 31, 2007, the Government Accountability Office, the DoD Office of Inspector\nGeneral, the Army Audit Agency, the Naval Audit Service, and the Air Force Audit\nAgency issued 36 reports addressing a wide range of information assurance weaknesses\nthat persist throughout DoD systems and networks. If these weaknesses continue, they\nwill impede the ability of DoD to mitigate risks in a shared information technology\nenvironment. Those risks include unauthorized access to information or information\nsystems and their consequent loss, misuse, or modification. A loss of information is itself\nunacceptable and could result in loss of mission effectiveness.\n\x0cTable of Contents \n\n\nExecutive Summary \t                                                            i\n\n\nBackground \t                                                                   1\n\n\nObjectives \t                                                                   2\n\n\nFinding\n      Information Assurance Weaknesses Persist Throughout DoD \t                3\n\n\nAppendixes\n      A.   Scope and Methodology \t                                             7\n\n      B.   Prior Coverage \t                                                    8\n\n      C.   Glossary \t                                                          9 \n\n      D.   Matrix of Information Assurance Weaknesses Reported From\n\n             August 1, 2006, Through July 31, 2007                            12 \n\n      E. Audit Reports Issued From August 1, 2006, Through July 31, 2007, \n\n             Identifying Information Assurance Weaknesses                     14 \n\n      F. \t Audit Reports From Prior Information Assurance Summary Reports \n\n             With Unresolved Recommendations                                  17 \n\n      G. Report Distribution \t                                                21 \n\n\x0cBackground \n\n    This report summarizes information assurance (IA) weaknesses that the\n    Government Accountability Office (GAO) and the DoD audit community\xe2\x80\x94the\n    DoD Office of Inspector General (OIG), the Army Audit Agency, the Naval Audit\n    Service, and the Air Force Audit Agency\xe2\x80\x94identified in reports between\n    August 1, 2006, and July 31, 2007. This report is the ninth annual IA summary\n    the DoD OIG has issued since January 1999. The nine IA reports summarize 405\n    reports on IA weaknesses.\n\n    This report supports the DoD OIG response to section 3545 of Public\n    Law 107-347, Title III, \xe2\x80\x9cFederal Information Security Management Act,\xe2\x80\x9d\n    December 17, 2002, requiring agencies to submit the results of an annual\n    independent evaluation of the effectiveness of their information security policies,\n    procedures, and practices to the Office of Management and Budget (OMB). The\n    evaluation results may be based, in whole or in part, on an audit, evaluation, or\n    report relating to agency programs and practices.\n\n    Privacy Act of 1974. The intent of the Privacy Act of 1974, section 552a (as\n    amended), Title 5, United States Code, is to require Federal agencies to protect\n    individuals against unwarranted invasions of their privacy by limiting the\n    collection, maintenance, use, and disclosure of personal information about them.\n    The Act requires that Federal agencies establish information practices that restrict\n    disclosure of personally identifiable records and grants individuals increased\n    access to agency records maintained on them. The E\xe2\x80\x93Government Act of 2002\n    additionally requires that Federal agencies protect the collection of personal\n    information in Federal government information systems by conducting Privacy\n    Impact Assessments. A Privacy Impact Assessment is an analysis of how\n    personal information is collected, stored, shared, and managed in Federal\n    information technology systems.\n\n    Federal Information Security Management Act. The Federal Information\n    Security Management Act (FISMA) provides a comprehensive framework for\n    ensuring the effectiveness of IA controls over information resources that support\n    Federal operations and assets. FISMA requires that each agency develop,\n    document, and implement an agency-wide IA program to provide IA for the\n    information and information systems that support the operations and assets of the\n    agency. Each agency is to comply with FISMA and related policies, procedures,\n    standards, and guidelines, including the information security standards\n    promulgated under section 11331, Title 40, United States Code\n    (40 U.S.C. 11331), \xe2\x80\x9cResponsibilities for Federal information systems standards.\xe2\x80\x9d\n    40 U.S.C. 11331 requires that standards and guidelines for Federal information\n    systems be based on standards and guidelines developed by the National Institute\n    of Standards and Technology. FISMA permits agencies to develop and use their\n    own IA standards as long as they are more stringent than those prescribed under\n    FISMA.\n\n    National Institute of Standards and Technology. To meet its statutory\n    responsibilities under FISMA, the National Institute of Standards and\n    Technology, part of the U.S. Department of Commerce, developed a series of\n\n\n                                         1\n\n\x0c    standards and guidelines to provide IA for operations and assets of Federal\n    agencies. Specifically, the Computer Security Division of the Information\n    Technology Laboratory developed computer security prototypes, tests, standards,\n    and procedures designed to protect sensitive information from unauthorized\n    access or modification. Focus areas include cryptographic technology and\n    applications, advanced authentication, public key infrastructure, internetworking\n    security, criteria and assurance, and security management and support. The\n    standards and guidelines present the results of National Institute of Standards and\n    Technology studies, investigations, and research on information technology\n    security.\n\n    DoD Information Assurance Guidance. DoD IA guidance includes:\n\n           \xe2\x80\xa2\t DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n              Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\n              December 30, 1997, which establishes policy, assigns responsibilities,\n              and prescribes procedures for the certification and accreditation of\n              information technology.\n\n           \xe2\x80\xa2\t DoD Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d May 8, 2007, which\n              establishes policy for the respect and protection of an individual\xe2\x80\x99s\n              personal information and fundamental right to privacy.\n\n           \xe2\x80\xa2\t DoD Directive 8500.1, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002,\n              which establishes policy and assigns responsibility to achieve IA\n              throughout DoD;\n\n           \xe2\x80\xa2\t DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d\n              February 6, 2003, which implements the policy, assigns\n              responsibilities, and prescribes procedures for applying integrated\n              layered protection of DoD information systems and networks as DoD\n              Directive 8500.1 outlines; and\n\n           \xe2\x80\xa2\t DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance Training,\n              Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004, which\n              establishes policy and assigns responsibility for DoD IA training,\n              certification, and workforce management.\n\n\nObjectives\n    This is one in a series of summary reports that the DoD OIG has issued annually\n    since 1999. The overall objective was to summarize reports by GAO and the\n    DoD audit community between August 1, 2006, and July 31, 2007. This\n    summary report supports the DoD OIG response to the requirements of FISMA.\n\n    See Appendix A for a discussion of the scope and methodology, and Appendix B\n    for prior coverage related to the objective.\n\n\n\n\n                                         2\n\n\x0c                   Information Assurance Weaknesses\n                   Persist Throughout DoD\n                   Between August 1, 2006, and July 31, 2007, GAO and the DoD audit\n                   community issued 36 reports addressing a wide range of IA weaknesses\n                   that persist throughout DoD systems and networks.* This report\n                   summarizes those reports.\n\n                   If the IA weaknesses continue, they will impede the ability of DoD to\n                   mitigate risks in a shared information technology environment. Those\n                   risks include harm resulting from loss, misuse, unauthorized access, and\n                   modification of information or information systems. A loss of information\n                   in DoD information systems is itself unacceptable and could undermine\n                   mission effectiveness.\n\n\nReports on Information Assurance Weaknesses\n           The weaknesses identified in reports by GAO and the DoD audit community were\n           defined by FISMA, DoD Instruction 5200.40, DoD Directive 5400.11, DoD\n           Instruction 8500.2, or DoD Directive 8570.1. The table on the next page shows\n           the number of GAO and DoD audit community reports, by agency, that identify\n           weaknesses in IA areas. See Appendix C for a glossary of specialized terms.\n\n\n\n\n*\n    DoD OIG reported similar IA weaknesses in eight previous IA summary reports.\n\n\n\n                                                    3\n\n\x0c             Audit Reports Identifying Information Assurance Weaknesses\n                        (August 1, 2006, through July 31, 2007)\n                                                                 Military\n                IA Areas                       GAO   DoD OIG   Departments    Total\n\n    Access Controls                             0       7           8          15\n    Certification and Accreditation             0       6           1           7\n    Configuration Management                    0       5           2           7\n    Contingency Plans                           0       3           4           7\n    Continuity of Operations Plans              0       4           3           7\n    Federal Information Systems\n     Inventory Reporting                        0       2           0           2\n    Incident Handling                           0       1           0           1\n    Personnel Security                          0       0           1           1\n    Physical Security                           0       4           1           5\n    Plans of Action and Milestones              0       1           0           1\n    Privacy Act Information                     0       1           9          10\n    Risk, Threat, and Vulnerability\n     Assessments                                0       1           1           2\n    Security Awareness, Training,\n     and Education                              0       4           4           8\n    Security Policies and Procedures/\n     Management Oversight                       1       9          23          33\n\nTypes of Weaknesses\n    Reports issued during the reporting period most frequently cited weaknesses in\n    the following IA areas: access controls; Privacy Act information; security\n    awareness, training, and education; and security policies and procedures. See\n    Appendix D for a matrix of the specific IA weaknesses listed by report and\n    Appendix E for a list of reports reviewed for this IA summary report.\n\n            Access Controls. Access controls limit access to information system\n    resources to authorized users, programs, processes, or other systems. The DoD\n    audit community reported weaknesses related to access controls in 15 reports.\n    The weaknesses related to:\n\n                 \xe2\x80\xa2\t user account management, including maintaining complete user\n                    account forms, reviewing accounts periodically to determine\n                    whether access is still necessary, and reviewing user activity;\n\n                 \xe2\x80\xa2\t actions allowed by the systems, including access to FOUO,\n                    Privacy Act, and protected health information by users without\n                    appropriate rights and permissions;\n\n                 \xe2\x80\xa2\t separation of duties; and\n\n                 \xe2\x80\xa2\t development and implementation of the required audit trail for\n                    recording changes in user access and permissions.\n\n\n                                          4\n\n\x0c            Privacy Act Information. Agencies are required to limit the collection,\n    maintenance, use, and disclosure of privacy information on individuals. The DoD\n    audit community identified weaknesses related to Privacy Act information in 10\n    reports. The reports identified weaknesses related to:\n\n               \xe2\x80\xa2\t disposal of documents containing personal protected information;\n\n               \xe2\x80\xa2\t timely and uniformly implementing privacy program policy; and\n\n               \xe2\x80\xa2\t meeting Privacy Impact Assessment requirements of the\n                  E\xe2\x80\x93Government Act of 2002.\n\n    In response to DoD OIG Report No. D-2007-099, \xe2\x80\x9cDoD Privacy Program and\n    Privacy Impact Assessments,\xe2\x80\x9d the Assistant Secretary of Defense for Networks\n    and Information Integration/Chief Information Officer has agreed to implement\n    measures that will enhance protection of all personal protected information in\n    DoD information technology systems. The Navy\xe2\x80\x99s Chief Information Officer has\n    acknowledged the ever-increasing threats to personal identification information\n    and taken actions to reduce threats and increase the awareness of Navy personnel.\n    The DoD Senior Privacy Official is waiting until the DoD Privacy Office\n    compiles the results of a Component Privacy Survey before taking action to\n    correct deficiencies in the DoD Privacy Program.\n\n            Security Awareness, Training, and Education. The reports identified\n    weaknesses in the area of training for personnel responsible for information\n    security and the administration of training. The DoD audit community reported\n    weaknesses relating to security awareness, training, and education in eight issued\n    reports.\n\n           Security Policies and Procedures. The audit reports identified\n    weaknesses in security policies and procedures. GAO and the DoD audit\n    community reported weaknesses relating to security policies and procedures in\n    33 issued reports.\n\n    The eight previous IA annual reports summarized 369 reports on IA weaknesses\n    throughout DoD. Of those 369 reports, 40 reports had unresolved\n    recommendations, meaning management had not corrected agreed-upon IA\n    weaknesses within 12 months of the report issue date. Prompt action to correct\n    the outstanding weaknesses is necessary to mitigate ongoing vulnerabilities in the\n    DoD IA program. See Appendix F for a listing of reports with unresolved\n    recommendations relating to IA weaknesses.\n\n\nConclusion\n    Many of the weaknesses reported occurred because management of security\n    programs was inadequate and security policies and procedures were not in place.\n    Without adequate security program management and security policies and\n    procedures, DoD cannot provide and maintain appropriate security for managing,\n    protecting, and distributing information. Implementing adequate security\n\n\n                                         5\n\n\x0cprogram management and security policies and procedures may reduce the risk of\npersistent IA weaknesses, thereby reducing unauthorized access to information or\ninformation systems and their consequent loss, misuse, or modification.\n\n\n\n\n                                    6\n\n\x0cAppendix A. Scope and Methodology \n\n   This report summarizes the DoD IA weaknesses identified in 36 reports that GAO\n   and the DoD audit community issued from August 1, 2006, through\n   July 31, 2007. To prepare this summary, the OIG audit team reviewed the Web\n   sites of GAO and each component audit organization, as well as requested reports\n   discussing IA weaknesses from each such organization. The OIG audit team also\n   reviewed prior IA summary reports and, with the assistance of GAO and DoD\n   audit community follow-up organizations, summarized reports with unresolved\n   recommendations on IA weaknesses.\n\n   This summary report does not make recommendations because recommendations\n   were made in the summarized reports. We did not follow generally accepted\n   government auditing standards in conducting this project because it is a summary\n   project. We did not summarize congressional testimonies as originally announced\n   because reviews of IA testimonies issued during the reporting period identified\n   that the testimonies did not apply specifically, if at all, to DoD. Also, we did not\n   include independent tests of management controls or validate the information or\n   results reported in the summarized reports. This summary report supports the\n   DoD OIG response to the OMB questions relating to FISMA. We conducted this\n   summary work from February through August 2007.\n\n   Use of Computer-Processed Data. We did not use computer-processed data\n   when compiling information for this summary report.\n\n\n\n\n                                        7\n\n\x0cAppendix B. Prior Coverage \n\n   DoD OIG has issued eight information security summary reports. Unrestricted\n   DoD OIG reports can be accessed at http://www.dodig.osd.mil/audit/reports. The\n   remainder of the reports are For Official Use Only and can be obtained by\n   contacting the Freedom of Information Act Requester Service Center at\n   (703) 604-9775 (DSN 664-9775) or fax (703) 602-0294.\n\n   DoD IG Report No. D-2006-110, \xe2\x80\x9cSummary of Information Assurance\n   Weaknesses Found in Audit Reports Issued from August 1, 2005, through\n   July 31, 2006,\xe2\x80\x9d September 14, 2006\n\n   DoD IG Report No. D-2005-110, \xe2\x80\x9cSummary of Information Security Weaknesses\n   Reported by Major Oversight Organizations From August 1, 2004, through\n   July 31, 2005 (FOUO),\xe2\x80\x9d September 23, 2005\n\n   DoD IG Report No. D-2004-116, \xe2\x80\x9cInformation Security Weaknesses Reported by\n   Major Oversight Organizations From August 1, 2003, through July 31, 2004\n   (FOUO),\xe2\x80\x9d September 23, 2004\n\n   DoD IG Report No. D-2004-038, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A\n   Summary of Results Reported from August 1, 2002, through July 31, 2003\n   (FOUO),\xe2\x80\x9d December 22, 2003\n\n   DoD IG Report No. D-2003-024, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 An\n   evaluation of Audit Results Reported from August 23, 2001, through\n   July 31, 2002 (FOUO),\xe2\x80\x9d November 21, 2002\n\n   DoD IG Report No. D2001-182, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A\n   Summary of Audit Results Reported April 1, 2000, through August 22, 2001\n   (FOUO),\xe2\x80\x9d September 19, 2001\n\n   DoD IG Report No. D2000-124, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A\n   Summary of Audit Results Reported December 1, 1998, through March 31, 2000\n   (FOUO),\xe2\x80\x9d May 15, 2000\n\n   DoD IG Report No. 99-069, \xe2\x80\x9cSummary of Audit Results \xe2\x80\x93 DoD Information\n   Assurance Challenges,\xe2\x80\x9d January 22, 1999\n\n\n\n\n                                      8\n\n\x0cAppendix C. Glossary\n   Access Controls \xe2\x80\x93 Access controls limit information system resources to\n   authorized users, programs, processes, or other systems.\n\n   Audit Trail \xe2\x80\x93 An audit trail is a chronological record of system activities that\n   enable the reconstruction and examination of the sequence of events and/or\n   changes in an event.\n\n   Certification and Accreditation \xe2\x80\x93 Certification and accreditation is a combined\n   process that makes up the DoD Information Technology Security Certification\n   and Accreditation Process.\n\n           \xe2\x80\xa2\t Accreditation \xe2\x80\x93 Accreditation is the formal declaration by a\n              designated accrediting authority that an information system is\n              approved to operate in a particular security mode at an acceptable\n              level of risk, based on the implementation of an approved set of\n              technical, managerial, and procedural safeguards.\n\n           \xe2\x80\xa2\t Certification \xe2\x80\x93 Certification is a comprehensive evaluation of the\n              technical and nontechnical security safeguards of an information\n              system to support the accreditation process that establishes the extent\n              to which a particular design and implementation meets a set of\n              specified security requirements.\n\n   Configuration Management \xe2\x80\x93 Configuration management is the management of\n   security features and assurances through control of changes made to hardware,\n   software, firmware, documentation, test, test fixtures, and test documentation\n   throughout the life cycle of an information system.\n\n   Contingency Plan \xe2\x80\x93 A contingency plan is maintained for emergency response,\n   backup operations, and post-disaster recovery of an information system to ensure\n   the availability of critical resources and to facilitate the continuity of operations in\n   an emergency situation.\n\n   Continuity of Operations Plan \xe2\x80\x93 A continuity of operations plan is a plan for\n   continuing an organization\xe2\x80\x99s essential functions at an alternate site and\n   performing those functions for the duration of an event with little or no loss of\n   continuity before returning to normal operations.\n\n   Federal Information Systems Inventory Reporting \xe2\x80\x93 The head of each agency\n   must develop and maintain an inventory of major information systems, including\n   major national security systems, operated by or under the control of the agency.\n   The inventory of information systems or networks should include those not\n   operated by or under the control of the agency.\n\n   Incident Response \xe2\x80\x93 Also known as incident handling, incident response is the\n   mitigation of violations of security policies and recommended practices.\n\n\n\n\n                                          9\n\n\x0cPersonnel Security \xe2\x80\x93 The objective of the Personnel Security Program is to\nensure that the military, civilian, and contractor personnel assigned to and\nretained in sensitive positions in which they could potentially damage national\nsecurity are, and remain, reliable and trustworthy, and no reasonable basis exists\nfor doubting their allegiance to the United States. Assignment to sensitive duties\nis granted only to individuals who are U.S. citizens and for whom an appropriate\ninvestigation has been completed.\n\nPhysical Security \xe2\x80\x93 Physical security refers to measures taken to protect systems,\nbuildings, and related supporting infrastructure against threats associated with\ntheir physical environment.\n\nPlan of Action and Milestones \xe2\x80\x93 A plan of action and milestones is a tool that\nidentifies tasks that need to be accomplished. A plan of action and milestones\ndetails resources required to accomplish the elements of the plan, any milestones\nin meeting the task, and scheduled completion dates for the milestones. The\npurpose of a plan of action and milestones is to assist agencies in identifying,\nassessing, prioritizing, and monitoring the progress of corrective efforts for\nsecurity weaknesses found in programs and systems.\n\nPolicies and Procedures \xe2\x80\x93 Policies and procedures are the aggregate of\ndirectives, regulations, rules, and practices that regulate how an organization\nmanages, protects, and distributes information. Information security policy can\nbe contained in public laws, Executive orders, DoD Directives, and local\nregulation.\n\nPrivacy Act Information \xe2\x80\x93 Privacy Act information is personal information\nabout an individual that links, relates, or is unique to or identifies or describes him\nor her, such as social security number; age; military rank; civilian grade; marital\nstatus; race; salary; home or office phone numbers; and other demographic,\nbiometric, personnel, medical, and financial information. This information is also\nreferred to as personally identifiable information, or that which can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity.\n\nRisk Assessment \xe2\x80\x93 Risk assessment is an analysis of threats to and vulnerabilities\nof information systems and the potential impact resulting form the loss of an\ninformation system and its capabilities. The analysis is used as a basis for\nidentifying appropriate and cost-effective security measures.\n\nSecurity Awareness, Training, and Education\n\n       \xe2\x80\xa2\t Awareness \xe2\x80\x93 Awareness is a learning process that sets the stage for\n          training by changing individual and organization attitudes to realize\n          the importance of security and the adverse consequences of its failure.\n\n       \xe2\x80\xa2\t Training \xe2\x80\x93 Training is teaching people the knowledge and skills that\n          will enable them to perform their jobs more effectively.\n\n       \xe2\x80\xa2\t Education \xe2\x80\x93 Education focuses on developing the ability and vision to\n          perform complex, multi-disciplinary activities and the skills needed to\n          further the information technology security profession. Education\n\n\n                                      10\n\n\x0c           activities include research and development to keep pace with\n           changing technologies.\n\nSegregation of Duties \xe2\x80\x93 Segregation of duties refers to dividing roles and\nresponsibilities so that a single individual cannot subvert a critical process.\n\n\n\n\n                                      11\n\n\x0cAppendix D. \tMatrix of Information Assurance\n             Weaknesses Reported From\n             August 1, 2006, Through July 31, 2007\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Security Policies and Procedures/\n                                                                                                                                                                                                                                                                                                                 Risk, Threat, and Vulnerability\n                                          Certification and Accreditation\n\n\n\n\n                                                                                                                          Continuity of Operations Plans\n\n\n\n\n                                                                                                                                                                                                                                                      Plan of Actions and Milestones\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Security Awareness, Training,\n                                                                                                                                                           Federal Information Systems\n                                                                            Configuration Management\n\n\n\n\n                                                                                                                                                                                                                                                                                       Privacy Act Information\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Management Oversight\n                                                                                                                                                           Inventory Reporting\n\n\n\n                                                                                                                                                                                                             Personnel Security\n                                                                                                                                                                                         Incident Handling\n                                                                                                       Contingency Plan\n\n\n\n\n                                                                                                                                                                                                                                  Physical Security\n                        Access Controls\n\n\n\n\n                                                                                                                                                                                                                                                                                                                 Assessment\n\n                                                                                                                                                                                                                                                                                                                 Education\n      Agency\n    Report No.\n    Government\nAccountability Office\n    GAO-07-65                                                                                                                                                                                                                                                                                                                             X\n      Office of\nInspector General of\n      the DoD\n    D-2007-101          X                 X\n    D-2007-099          X                                                                                                                                                                                                                                                              X                                       X          X\n    D-2007-096          X                                                   X                                                                                                                                                     X                                                                                X                      X\n    D-2007-089          X                 X                                 X                          X                  X                                       X                                                                                   X                                                                                   X\n    D-2007-082          X                 X                                 X                          X                                                                                 X                                        X                                                                                            X          X\n    D-2007-040          X                                                   X                          X                  X                                                                                                       X                                                                                                       X\n    D-2007-039                            X                                                                                                                       X                                                                                                                                                            X\n    D-2007-031                                                                                                            X                                                                                                                                                                                                               X\n    D-2007-025                            X                                                                                                                                                                                                                                                                                               X\n    D-2007-006                                                                                                            X                                                                                                                                                                                                               X\n    D-2006-107          X                 X                                 X                                                                                                                                                     X                                                                                            X          X\n     Army\n  Audit Agency\n A-2006-0199-FFI                                                                                                                                                                                                                                                                                                                          X\n A-2006-0181-FFI                                                                                                                                                                                                                                                                                                                          X\n A-2006-0180-FFI                                                                                                                                                                                                                                                                                                                          X\n A-2006-0179-FFI                                                                                                                                                                                                                                                                                                                          X\n\n\n\n\n                                                                                                                                          12\n\n\x0c                                                                                                                                                                                                                                                                                                                                                                   Naval\n\n\n\n\n      Total\n                                                                                                                                                                                                                                                                                                                                                                   Agency\n\n\n\n\n                                                                                                                                                                                                   Air Force\n                                                                                                                                                                                                                 N2006-0045\n                                                                                                                                                                                                                              N2006-0048\n                                                                                                                                                                                                                                           N2007-0004\n                                                                                                                                                                                                                                                        N2007-0012\n                                                                                                                                                                                                                                                                     N2007-0014\n                                                                                                                                                                                                                                                                                  N2007-0016\n                                                                                                                                                                                                                                                                                               N2007-0017\n                                                                                                                                                                                                                                                                                                            N2007-0018\n                                                                                                                                                                                                                                                                                                                         N2007-0025\n                                                                                                                                                                                                                                                                                                                                      N2007-0035\n                                                                                                                                                                                                                                                                                                                                                   N2007-0036\n                                                                                                                                                                                                                                                                                                                                                                 Report No.\n\n                                                                                                                                                                                                                                                                                                                                                                Audit Service\n\n\n\n\n                                                                                                                                                                                                  Audit Agency\n                                                                                                                                                                              F2007-0005-FB2000\n\n\n\n\n                                                                                                                  F2007-0004-FB4000\n                                                                                                                                      F2007-0006-FB4000\n                                                                                                                                                          F2007-0004-FB2000\n\n\n\n\n                                                                                              F2007-0001-FB4000\n\n\n\n\n                                  F2006-0009-FB2000\n                                                      F2006-0011-FB2000\n                                                                          F2007-0001-FB2000\n\n\n\n\n              F2006-0008-FB4000\n                                                                                                                                                                              X\n\n\n\n\n                                                                                                                  X\n                                                                                                                                      X\n                                                                                                                                                          X\n\n\n\n\n                                  X\n                                                      X\n                                                                          X\n\n\n\n\n              X\n      15\n                                                                                                                                                                                                                                                                                                                                                                       Access Controls\n\n\n\n\n      7\n                                                                                                                                                          X\n                                                                                                                                                                                                                                                                                                                                                                       Certification and Accreditation\n\n\n\n\n      7\n                                  X\n                                                      X\n                                                                                                                                                                                                                                                                                                                                                                       Configuration Management\n\n\n\n\n      7\n                                                                                                                                      X\n                                                                                                                                                          X\n                                                                                                                                                                                                                                                                                  X\n                                                                                                                                                                                                                                                                                               X\n                                                                                                                                                                                                                                                                                                                                                                       Contingency Plan\n\n\n\n\n      7\n                                                                                                                                                                                                                                                                                  X\n                                                                                                                                                                                                                                                                                               X\n\n\n\n\n                                                                          X\n                                                                                                                                                                                                                                                                                                                                                                       Continuity of Operations Plans\n\n\n\n\n13\n\n                                                                                                                                                                                                                                                                                                                                                                       Federal Information Systems\n\n\n\n\n      2\n                                                                                                                                                                                                                                                                                                                                                                       Inventory Reporting\n\n\n\n\n      1\n                                                                                                                                                                                                                                                                                                                                                                       Incident Handling\n\n\n\n\n      1\n              X\n                                                                                                                                                                                                                                                                                                                                                                       Personnel Security\n\n\n\n\n      5\n                                                                                                                  X\n                                                                                                                                                                                                                                                                                                                                                                       Physical Security\n\n\n\n\n      1\n                                                                                                                                                                                                                                                                                                                                                                       Plan of Actions and Milestones\n\n\n                                                                                                                                                                                                                 X\n                                                                                                                                                                                                                              X\n                                                                                                                                                                                                                                           X\n                                                                                                                                                                                                                                                        X\n                                                                                                                                                                                                                                                                     X\n                                                                                                                                                                                                                                                                                                            X\n                                                                                                                                                                                                                                                                                                                         X\n                                                                                                                                                                                                                                                                                                                                      X\n                                                                                                                                                                                                                                                                                                                                                   X\n\n\n\n\n      10\n                                                                                                                                                                                                                                                                                                                                                                       Privacy Act Information\n                                                                                                                                                                                                                                                                                                                                                                       Risk, Threat, and Vulnerability\n\n\n\n\n      2\n                                                      X\n                                                                                                                                                                                                                                                                                                                                                                       Assessment\n                                                                                                                                                                                                                                                                                                                                                                       Security Awareness, Training,\n\n\n\n\n      8\n                                                                                                                  X\n                                                                                              X\n\n\n\n\n                                  X\n              X\n                                                                                                                                                                                                                                                                                                                                                                       Education\n                                                                                                                                                                                                                                                                                                                                                                       Security Policies and Procedures/\n                                                                                                                                                                              X\n\n\n\n\n                                                                                                                  X\n                                                                                                                                      X\n\n\n                                                                                              X\n                                                                                                                                                                                                                 X\n                                                                                                                                                                                                                              X\n                                                                                                                                                                                                                                           X\n                                                                                                                                                                                                                                                        X\n                                                                                                                                                                                                                                                                     X\n                                                                                                                                                                                                                                                                                  X\n                                                                                                                                                                                                                                                                                               X\n                                                                                                                                                                                                                                                                                                            X\n                                                                                                                                                                                                                                                                                                                         X\n                                                                                                                                                                                                                                                                                                                                      X\n                                                                                                                                                                                                                                                                                                                                                   X\n\n\n\n\n                                  X\n                                                      X\n                                                                          X\n\n\n\n\n              X\n      33\n                                                                                                                                                                                                                                                                                                                                                                       Management Oversight\n\x0cAppendix E. \tAudit Reports Issued From\n             August 1, 2006, Through July 31,\n             2007, Identifying Information\n             Assurance Weaknesses\n\nGAO\n    GAO Report No. GAO-07-65, \xe2\x80\x9cInformation Security: Agencies Need to Develop\n    and Implement Adequate Policies for Periodic Testing,\xe2\x80\x9d October 20, 2006\n\n\nDoD IG\n    DoD IG Report No. D-2007-099, \xe2\x80\x9cReport on Audit of Privacy Program and\n    Privacy Impact Assessments,\xe2\x80\x9d June 13, 2007\n\n    DoD IG Report No. D-2007-101, \xe2\x80\x9cDFAS Corporate Database/DFAS Corporate\n    Warehouse Compliance with the Defense Business Transformation Certification\n    Criteria,\xe2\x80\x9d May 18, 2007\n\n    DoD IG Report No. D-2007-096, \xe2\x80\x9cInformation Assurance Controls for the\n    Defense Civilian Pay System (FOUO),\xe2\x80\x9d May 14, 2007\n\n    DoD IG Report No. D-2007-089, \xe2\x80\x9cSelected Controls for Information Security of\n    the U.S. Transportation Command\xe2\x80\x99s Integrated Computerized Deployment\n    System (FOUO),\xe2\x80\x9d April 30, 2007\n\n    DoD IG Report No. D-2007-082, \xe2\x80\x9cDefense Information Systems Agency Controls\n    over the Center for Computing Services,\xe2\x80\x9d April 9, 2007\n\n    DoD IG Report No. D-2007-040, \xe2\x80\x9cThe General and Application Controls over the\n    Financial Management System at the Military Sealift Command,\xe2\x80\x9d January 2, 2007\n\n    DoD IG Report No. D-2007-039, \xe2\x80\x9cAudit of Information Assurance of Missile\n    Defense Agency Information Systems (FOUO),\xe2\x80\x9d December 21, 2006\n\n    DoD IG Report No. D-2007-031, \xe2\x80\x9cThe Effects of Hurricane Katrina on the\n    Defense Information Systems Agency Continuity of Operations and Test\n    Facility,\xe2\x80\x9d December 12, 2006\n\n    DoD IG Report No. D-2007-025, \xe2\x80\x9cAcquisition of the Pacific Mobile Emergency\n    Radio System (FOUO),\xe2\x80\x9d November 22, 2006\n\n    DoD IG Report No. D-2007-006, \xe2\x80\x9cHurricane Katrina Disaster Recovery Efforts\n    Related to Army Information Technology Resources,\xe2\x80\x9d October 19, 2006\n\n\n\n                                      14\n\n\x0c    DoD IG Report No. D-2006-107, \xe2\x80\x9cDefense Departmental Reporting System and\n    Related Financial Statement Compilation Process Controls Placed in Operation\n    and Tests of Operating Effectiveness for the Period October 1, 2004, through\n    March 31, 2005 (FOUO),\xe2\x80\x9d August 18, 2006\n\n\nArmy Audit Agency\n    Army Audit Agency Report No. A-2006-0199-FFI, \xe2\x80\x9cInstallation Campus Area\n    Network Connectivity - Terrestrial-Based Connections,\xe2\x80\x9d September 29, 2006\n\n    Army Audit Agency Report No. A-2006-0181-FFI, \xe2\x80\x9cInstallation Campus Area\n    Network Connectivity - Wireless Networks (U.S. Army Garrison, Aberdeen\n    Proving Ground, Maryland),\xe2\x80\x9d September 28, 2006\n\n    Army Audit Agency Report No. A-2006-0180-FFI, \xe2\x80\x9cInstallation Campus Area\n    Network Connectivity - Wireless Networks (U.S. Army Garrison, Fort Huachuca,\n    Arizona),\xe2\x80\x9d September 28, 2006\n\n    Army Audit Agency Report No. A-2006-0179-FFI, \xe2\x80\x9cInstallation Campus Area\n    Network Connectivity - Wireless Networks (U.S. Army Garrison, Fort Gordon,\n    Georgia),\xe2\x80\x9d September 15, 2006\n\n\nNaval Audit Service\n    Naval Audit Service Report No. N2007-0036, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Support Activity Mid-South, Millington, TN (FOUO),\xe2\x80\x9d\n    May 25, 2007\n\n    Naval Audit Service Report No. N2007-0035, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Station Norfolk and Naval Amphibious Base Little Creek,\n    Norfolk, VA (FOUO),\xe2\x80\x9d May 25, 2007\n\n    Naval Audit Service Report No. N2007-0025, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Medical Center, VA,\xe2\x80\x9d April 12, 2007\n\n    Naval Audit Service Report No. N2007-0018, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval District Washington, DC (FOUO),\xe2\x80\x9d March 1, 2007\n\n    Naval Audit Service Report No. N2007-0017, \xe2\x80\x9cOrdnance Information System\n    (FOUO),\xe2\x80\x9d February 28, 2007\n\n    Naval Audit Service Report No. N2007-0016, \xe2\x80\x9cInformation Systems Restoration\n    and Data Recovery Related to Hurricane Katrina (FOUO),\xe2\x80\x9d February 23, 2007\n\n    Naval Audit Service Report No. N2007-0014, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Marine Corps Base Camp Pendleton, CA (FOUO),\xe2\x80\x9d\n    February 15, 2007\n\n\n                                      15\n\n\x0c    Naval Audit Service Report No. N2007-0012, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Station San Diego, CA (FOUO),\xe2\x80\x9d February 2, 2007\n\n    Naval Audit Service Report No. N2007-0004, \xe2\x80\x9cManagement of Privacy Act\n    Information at Naval District Washington (FOUO),\xe2\x80\x9d November 21, 2006\n\n    Naval Audit Service Report No. N2006-0048, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Station Great Lakes, IL,\xe2\x80\x9d September 27, 2006\n\n    Naval Audit Service Report No. N2006-0045, \xe2\x80\x9cDisposal of Protected Personal\n    Information at Naval Station Pensacola, FL (FOUO),\xe2\x80\x9d September 13, 2006\n\n\nAir Force Audit Agency\n    Air Force Audit Agency Report No. F2007-0005-FB2000, \xe2\x80\x9cStandard Base Supply\n    System Controls,\xe2\x80\x9d July 13, 2007\n\n    Air Force Audit Agency Report No. F2007-0004-FB2000, \xe2\x80\x9cReliability,\n    Availability, Maintainability Support System for Electronic Combat Pods System\n    Controls,\xe2\x80\x9d May 25, 2007\n\n    Air Force Audit Agency Report No. F2007-0006-FB4000, \xe2\x80\x9cShared Network\n    Storage Management (FOUO),\xe2\x80\x9d April 27, 2007\n\n    Air Force Audit Agency Report No. F2007-0004-FB4000, \xe2\x80\x9cSecurity of Remote\n    Computer Devices (FOUO),\xe2\x80\x9d March 13, 2007\n\n    Air Force Audit Agency Report No. F2007-0001-FB4000, \xe2\x80\x9cSelected Aspects of\n    Computer Network Intrusion Detection (FOUO),\xe2\x80\x9d December 12, 2006\n\n    Air Force Audit Agency Report No. F2007-0001-FB2000, \xe2\x80\x9cMilitary Personnel\n    Data System Controls,\xe2\x80\x9d November 20, 2006\n\n    Air Force Audit Agency Report No. F2006-0011-FB2000, \xe2\x80\x9cAir Force Equipment\n    Management System Controls,\xe2\x80\x9d September 25, 2006\n\n    Air Force Audit Agency Report No. F2006-0008-FB4000, \xe2\x80\x9cFollow-Up Audit,\n    Controls Over Access to Air Force Networks and Systems (FOUO),\xe2\x80\x9d\n    September 11, 2006\n\n    Air Force Audit Agency Report No. F2006-0009-FB2000, \xe2\x80\x9cContract Writing\n    System Controls,\xe2\x80\x9d August 3, 2006\n\n\n\n\n                                      16\n\n\x0cAppendix F. Audit Reports From Prior\n            Information Assurance Summary\n            Reports With Unresolved\n            Recommendations\n    IA weaknesses continue to exist throughout DoD. Of the 369 reports included in\n    8 prior IA summary reports, 40 had unresolved recommendations; management\n    had not corrected agreed-upon IA weaknesses within 12 months of the report\n    issue date. The list of reports with unresolved recommendations was compiled\n    based on information GAO and the DoD audit community provided in July 2007\n    and may be incomplete because of the extent of information maintained in their\n    respective follow-up systems.\n\nGAO\n    GAO Report No. GAO-06-31, \xe2\x80\x9cThe Defense Logistics Agency Needs to Fully\n    Implement Its Security Program,\xe2\x80\x9d October 7, 2005\n\n\nDoD IG\n    DoD IG Report No. D-2006-096, \xe2\x80\x9cSelect Controls for the Information Security of\n    the Command and Control Battle Management Communications System\n    (FOUO),\xe2\x80\x9d July 14, 2006\n\n    DoD IG Report No. D-2006-084, \xe2\x80\x9cInformation Assurance of Commercially\n    Managed Collaboration Services for the Global Information Grid (FOUO),\xe2\x80\x9d\n    May 17, 2006\n    DoD IG Report No. D-2006-079, \xe2\x80\x9cReview of the Information Security\n    Operational Controls of the Defense Logistics Agency\xe2\x80\x99s Business Systems\n    Modernization Energy,\xe2\x80\x9d April 24, 2006\n\n    DoD IG Report No. D-2006-078, \xe2\x80\x9cDefense Information Systems Agency\n    Encore II Information Technology Solutions Contract (FOUO),\xe2\x80\x9d April 21, 2006\n\n    DoD IG Report No. D-2006-074, \xe2\x80\x9cTechnical Report on the Defense Civilian Pay\n    System General and Application Controls (FOUO),\xe2\x80\x9d April 12, 2006\n\n    DoD IG Report No. D-2006-069, \xe2\x80\x9cTechnical Report on the Defense Business\n    Management System (FOUO),\xe2\x80\x9d April 3, 2006\n\n    DoD IG Report No. D-2006-060, \xe2\x80\x9cSystem Engineering Planning for the Ballistic\n    Missile Defense System (FOUO),\xe2\x80\x9d March 3, 2006\n\n\n\n                                      17\n\n\x0cDoD IG Report No. D-2006-053, \xe2\x80\x9cSelect Controls for the Information Security of\nthe Ground-Based Midcourse Defense Communications Network,\xe2\x80\x9d February 24,\n2006\n\nDoD IG Report No. D-2006-052, \xe2\x80\x9cDoD Organization Information Assurance\nManagement of Information Technology Goods and Services Acquired Through\nInteragency Agreement,\xe2\x80\x9d February 23, 2006\n\nDoD IG Report No. D-2006-046, \xe2\x80\x9cTechnical Report on the Defense Property\nAccountability System (FOUO),\xe2\x80\x9d January 27, 2006\n\nDoD IG Report No. D-2006-042, \xe2\x80\x9cSecurity Status for Systems Reported in DoD\nInformation Technology Databases,\xe2\x80\x9d December 30, 2005\n\nDoD IG Report No. D-2006-030, \xe2\x80\x9cReport on Diagnostic Testing at the Defense\nInformation Systems Agency, Center for Computing Services (FOUO),\xe2\x80\x9d\nNovember 30, 2005\n\nDoD IG Report No. D-2006-003, \xe2\x80\x9cSecurity Controls Over Selected Military\nHealth System Corporate Databases (FOUO),\xe2\x80\x9d October 7, 2005\n\nDoD IG Report No. D-2005-099, \xe2\x80\x9cStatus of Selected DoD Policies on\nInformation Technology Governance,\xe2\x80\x9d August 19, 2005\n\nDoD IG Report No. D-2005-094, \xe2\x80\x9cProposed DoD Information Assurance\nCertification and Accreditation Process (FOUO),\xe2\x80\x9d July 21, 2005\n\nDoD IG Report No. D-2005-069, \xe2\x80\x9cAudit of the General and Application Controls\nof the Defense Civilian Pay System (FOUO),\xe2\x80\x9d May 13, 2005\n\nDoD IG Report No. D-2005-054, \xe2\x80\x9cAudit of the DoD Information Technology\nSecurity Certification and Accreditation Process (FOUO),\xe2\x80\x9d April 28, 2005\n\nDoD IG Report No. D-2005-033, \xe2\x80\x9cImplementation of Interoperability and\nInformation Assurance Policies for Acquisition of Navy Systems,\xe2\x80\x9d\nFebruary 2, 2005\n\nDoD IG Report No. D-2005-023, \xe2\x80\x9cAssessment of DoD Plan of Action and\nMilestone Process (FOUO),\xe2\x80\x9d December 13, 2004\n\nDoD IG Report No. D-2004-114, \xe2\x80\x9cThe Follow-up on the Government\nAccountability Office and U.S. Army Audit Agency Recommendations for the\nU.S. Army Corps of Engineers (FOUO),\xe2\x80\x9d September 21, 2004\n\nDoD IG Report No. D-2004-041, \xe2\x80\x9cThe Security of the Army Corps of Engineers\nEnterprise Infrastructure Services Wide-Area Network (FOUO),\xe2\x80\x9d\nDecember 26, 2003\n\nDoD IG Report No. D-2004-008, \xe2\x80\x9cImplementation of Interoperability and\nInformation Assurance Policies for Acquisition of Army Systems,\xe2\x80\x9d\nOctober 15, 2003\n\n\n                                  18\n\n\x0c     DoD IG Report No. D-2003-134, \xe2\x80\x9cSystem Security of the Army Corps of\n     Engineers Financial Management System (FOUO),\xe2\x80\x9d September 15, 2003\n\n     DoD IG Report No. D-2002-108, \xe2\x80\x9cStandard Procurement System Certification\n     and Accreditation Process (FOUO),\xe2\x80\x9d June 19, 2002\n\n     DoD IG Report No. D-2001-148, \xe2\x80\x9cAutomated Transportation Payments,\xe2\x80\x9d\n     June 22, 2001\n\n     DoD IG Report No. D-2001-141, \xe2\x80\x9cAllegations to the Defense Hotline on the\n     Defense Security Assistance Management System,\xe2\x80\x9d June 19, 2001\n\n\nNaval Audit Services\n     Naval Audit Services Report No. N2005-0049, \xe2\x80\x9cInformation Security Controls at\n     Naval Shipyards,\xe2\x80\x9d July 7, 2005\n\n     Naval Audit Services Report No. N2005-0036, \xe2\x80\x9cVerification of the Reliability\n     and Validity of the Navy Enlisted System Data (FOUO),\xe2\x80\x9d March 30, 2005\n\n     Naval Audit Services Report No. N2004-0063, \xe2\x80\x9cInformation Security -\n     Operational Controls at Naval Aviation Depots,\xe2\x80\x9d July 9, 2004\n\n     Naval Audit Services Report No. N2003-0012, \xe2\x80\x9cVerification of the Reliability\n     and Validity of the Department of the Navy\xe2\x80\x99s Total Force Manpower\n     Management System (TFMMS) Data,\xe2\x80\x9d November 8, 2002\n\n\nAir Force Audit Agency\n     Air Force Audit Agency Report No. F2006-0008-FB2000, \xe2\x80\x9cSystem Controls for\n     Item Manager Wholesale Requisition Process System,\xe2\x80\x9d June 21, 2006\n\n     Air Force Audit Agency Report No. F2006-0007-FB2000, \xe2\x80\x9cMissile Readiness\n     Integrated Support Facility/Integrated Missile Database System Controls,\xe2\x80\x9d\n     May 30, 2006\n\n     Air Force Audit Agency Report No. F2006-0006-FB2000, \xe2\x80\x9cControls for the\n     Wholesale and Retail Receiving and Shipping System,\xe2\x80\x9d May 19, 2006\n\n     Air Force Audit Agency Report No. F2006-0004- FB2000, \xe2\x80\x9cImplementation of\n     Selected Aspects of Security in Air Force Systems,\xe2\x80\x9d April 17, 2006\n\n     Air Force Audit Agency Report No. F2005-0010-FB2000, \xe2\x80\x9cSystem Controls for\n     Financial Inventory Accounting and Billing System,\xe2\x80\x9d September 20, 2005\n\n     Air Force Audit Agency Report No. F2005-0005-FB4000, \xe2\x80\x9cCertification and\n     Accreditation of Air Force Major Command Systems,\xe2\x80\x9d July 11, 2005\n\n\n                                        19\n\n\x0cAir Force Audit Agency Report No. F2004-0006-FB2000, \xe2\x80\x9cSystem Controls for\nReliability and Maintainability Information System,\xe2\x80\x9d September 27, 2004\n\nAir Force Audit Agency Report No. F2004-0006-FB4000, \xe2\x80\x9cVisibility of Air\nForce Information Technology Resources,\xe2\x80\x9d May 4, 2004\n\nAir Force Audit Agency Report No. 00054006, \xe2\x80\x9cAir Force Restoration\nInformation Management System Controls,\xe2\x80\x9d May 18, 2001\n\n\n\n\n                                 20\n\n\x0cAppendix G. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/Chief\n   Information Officer\nAssistant Secretary of Defense for Health Affairs/Chief Information Officer\nAssistant Secretary of Defense for Intelligence Oversight/Chief Information Officer\nChief Information Officer, Office of the Secretary of Defense\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\nChief Information Officer, Joint Staff\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\nChief Information Officer, Department of Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nNaval Inspector General\nAuditor General, Department of the Navy\nChief Information Officer, Department of the Navy\nChief Information Officer, U.S. Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nChief Information Officer, Department of the Air Force\n\n\n\n\n                                           21\n\n\x0cUnified Commands\nChief Information Officer, U.S. Central Command\nChief Information Officer, U.S. European Command\nChief Information Officer, U.S. Joint Forces Command\nChief Information Officer, U.S. Northern Command\nChief Information Officer, U.S. Pacific Command\nChief Information Officer, U.S. Southern Command\nChief Information Officer, U.S. Special Operations Command\nChief Information Officer, U.S. Strategic Command\nChief Information Officer, U.S. Transportation Command\n\nOther Defense Organizations\nChief Information Officer, American Forces Information Service\nChief Information Officer, Business Transformation Agency\nChief Information Officer, Defense Advanced Research Projects Agency\nChief Information Officer, Defense Commissary Agency\nChief Information Officer, Defense Contract Audit Agency\nChief Information Officer, Defense Contract Management Agency\nChief Information Officer, Defense Finance and Accounting Service\nChief Information Officer, Defense Information Systems Agency\nChief Information Officer, Defense Logistics Agency\nChief Information Officer, Defense Security Cooperation Agency\nChief Information Officer, Defense Security Service\nChief Information Officer, Defense Technical Information Center\nChief Information Officer, Defense Technology Security Administration\nChief Information Officer, Defense Threat Reduction Agency\nChief Information Officer, DoD Education Activity\nChief Information Officer, DoD Human Resources Activity\nChief Information Officer, DoD Inspector General\nChief Information Officer, DoD Test Resource Management Center\nChief Information Officer, Missile Defense Agency\nChief Information Officer, Pentagon Force Protection Agency\nChief Information Officer, TRICARE Management Agency\nChief Information Officer, U.S. Mission North Atlantic Treaty Organization\nChief Information Officer, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          22\n\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                      23\n\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nKathryn M. Truex\nDonald A. Bloomer\nRobert R. Johnson\nGloria A. Young\nCory M. James\nAllison Tarmann\n\x0c\x0c"